Skip to main content

2FA Look-up Secrets and Recovery Codes

Lookup secrets (lookup_secret) are passwords generated by the server. These passwords can only be used once, and the end-user typically downloads them, stores them in their password manager, or writes them down. Lookup secrets are commonly used when the end-user loses access to their TOTP or WebAuthn device!

Generating new recovery codes

Configuration

Enabling this method is as easy as setting

kratos.config.yml
selfservice:
methods:
lookup_secret:
enabled: true

Identity Credentials

The lookup_secret method would generate a credentials block as follows:

credentials:
password:
id: lookup_secret
identifiers:
# This is the identity's ID
- 802471b9-06f5-49d4-a88d-5e7d6bcfed22
config:
recovery_codes:
- code: 1bc6bea
- code: 1bc6bea
used_at: 2021-10-14T07:38:51Z